--- src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java.orig	2017-11-01 09:57:37.083991374 +0000

+++ src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java	2017-11-01 10:00:58.032279501 +0000

@@ -48,16 +48,29 @@

     static {

         Set<String> s = new HashSet<String>();

         // Courtesy of [https://github.com/kantega/notsoserial]:

-        // (and wrt [databind#1599]

+        // (and wrt [databind#1599])

         s.add("org.apache.commons.collections.functors.InvokerTransformer");

         s.add("org.apache.commons.collections.functors.InstantiateTransformer");

         s.add("org.apache.commons.collections4.functors.InvokerTransformer");

         s.add("org.apache.commons.collections4.functors.InstantiateTransformer");

+        // 05-Aug-2017, tatu: as per [https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf]

+        //    this is NOT likely to  be exploitable via Jackson. But keep excluded just in case.

         s.add("org.codehaus.groovy.runtime.ConvertedClosure");

         s.add("org.codehaus.groovy.runtime.MethodClosure");

         s.add("org.springframework.beans.factory.ObjectFactory");

         s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");

         s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");

+        // [databind#1680]: may or may not be problem, take no chance

+        s.add("com.sun.rowset.JdbcRowSetImpl");

+        // [databind#1737]; JDK provided

+        s.add("java.util.logging.FileHandler");

+        s.add("java.rmi.server.UnicastRemoteObject");

+        // [databind#1737]; 3rd party

+        s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");

+        s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");

+        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");

+        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");

+

         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);

     }